First go at a certbot/letsencrypt role for Fedora Infra

To use it:

1) Include the role in your playbook. This will install certbot and put a
   tiny bit of Apache config in place, along with a monthly cron to attempt to
   renew certificates.
2) Add the following lines to your Apache virthost:

  RewriteEngine on
  RewriteRule ^/\.well-known/(.*) /srv/web/acme-challenge/.well-known/$1 [L]

2) ssh to the relevant box

  # TODO: Fix selinux stuff - the cron won't work until it's fixed either.
  service httpd graceful
  setenforce 0
  certbot certonly --manual-public-ip-logging-ok --webroot -w \
    /srv/web/acme-challenge/ -d YOURINSTANCE.fedorainfracloud.org
  setenforce 1

3) Add your SSL VirtualHost. An Ansible template with something like this
   should possibly work:

  <VirtualHost {{public_ip}}:443 _default_:443>
    ServerName YOURINSTANCE.fedorainfracloud.org

    SSLEngine on
    SSLCertificateFile    /etc/letsencrypt/live/YOURINSTANCE.fedorainfracloud.org/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/YOURINSTANCE.fedorainfracloud.org/privkey.pem
    SSLCertificateChainFile /etc/letsencrypt/live/YOURINSTANCE.fedorainfracloud.org/fullchain.pem
    SSLHonorCipherOrder On
    SSLCipherSuite RC4-SHA:AES128-SHA:ALL:!ADH:!EXP:!LOW:!MD5:!SSLV2:!NULL
    SSLProtocol ALL -SSLv2

    <!-- Your actual config goes here! -->
  </VirtualHost>
